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Abstract: The Tor anonymity network has been shown vul- 
nerable to traffic analysis attacks by autonomous systems and 
Internet exchanges, which can observe different overlay hops 
belonging to the same circuit. We evaluate whether network 
path prediction techniques provide an accurate picture of the 
threat from such adversaries, and whether they can be used 
to avoid this threat. We perform a measurement study by col- 
lecting 17.2 million traceroutes from Tor relays to destinations 
around the Internet. We compare the collected traceroute paths 
to predicted paths using state-of-the-art path inference tech- 
niques. We find that only 20.0% of predicted paths match paths 
seen in the traceroutes. We also consider the impact that pre- 
diction errors have on Tor security. Using a simulator to choose 
paths over a week, our traceroutes indicate a user could expect 
10.9% of paths to contain an AS compromise and 0.9% to have 
an IX compromise with default Tor selection. We find modify- 
ing the path selection to choose paths predicted to be safe still 
presents a 5.3-11% chance of compromise in a week while 
making 5.1% of paths fail with 96% failing unnecessarily due 
to false positives in path inferences. Our results demonstrate 
more measurement and better path prediction is necessary to 
mitigate the risk of AS and IX adversaries to Tor. 

Keywords: Autonomous Systems; Internet Exchanges; Tor 

DOI 10.1 51 5/popets-201 5-0021 

Received 2015-02-15; revised 2015-05-15; accepted 2015-05-15. 

1 Introduction 

The Tor network for anonymous communication [14] is sus- 
ceptible to end-to-end timing attacks [33], which allow an ad- 
versary who observes traffic from a client to the first Tor router 
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and at the same time traffic from the last Tor router to the des- 
tination to deanonymize the connection. Both of these paths 
traverse a number of Internet routers that belong to various 
organizations, leaving the possibility that a single network op- 
erator running an autonomous system (AS) or an Internet ex- 
change (IX) will be in the position to observe both paths and 
thus carry out the end-to-end timing attack [15, 17, 22, 23, 30]. 
This threat is made more likely by the concentration of Inter- 
net traffic at Tier 1 ISPs and high-volume IXes. 

To assess the vulnerability of Tor to AS and IX adver- 
saries, it is necessary to predict the paths that traffic takes on 
the Internet. Previous work characterizing this threat has relied 
chiefly on AS-level routing predictions [31]. Such predictions 
are well known to be incomplete and imprecise, producing er- 
roneous path predictions. Our goal is to evaluate the impact 
of these errors on the anonymity of Tor. In particular, we are 
concerned with two research questions: 

- Are AS-level routing predictions suitable for characteriz- 
ing the threat of AS and IX adversaries in Tor? 

- Can AS-level routing predictions be used to construct Tor 
paths that avoid AS and IX adversaries (as has been sug- 
gested in previous work [5, 15])? 

To answer these questions, we performed a measurement 
study, collecting traceroute probes from Tor relays to obtain a 
more accurate picture of Internet paths actually used by net- 
work traffic. In comparing results from traceroutes to state-of- 
the-art path prediction, we found that the prediction accuracy 
was notably worse than previously measured, despite the fact 
that we are interested in a simplified prediction problem look- 
ing for the set of ASes (or IXes) on a path, rather than the 
exact sequence. The errors include both extraneous ASes and 
IXes in the prediction that are not seen in traceroutes and, more 
worryingly, ASes and IXes in the traceroutes that are missing 
from the prediction. It is possible to produce an overestimate 
of the AS and IX sets by considering several of the most likely 
paths produced by the prediction algorithm, rather than just 
the top one. Such overestimates reduce but do not eliminate 
the problem of missing ASes and IXes, at the cost of signifi- 
cantly increasing the number of extraneous predictions. 

We next analyze the impact of these prediction errors on 
the vulnerability of Tor to AS- and IX-level adversaries, with 
the help of a simulator that faithfully reconstructs Tor paths 
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that may have been chosen by a Tor user. 1 We find that AS 
and IX path prediction significantly overestimates the threat 
of vulnerability to such adversaries; at the same time, most 
users do run a significant risk of compromise by an AS-level 
adversary as determined from the traceroute data, whereas IX- 
level adversaries affect only a small fraction of paths. 

We then modify our simulator to specifically avoid select- 
ing paths that are vulnerable to AS or IX adversaries based 
on predictions, as has been previously suggested. We show 
that this significantly limits the choice of paths and frequently 
results in no paths being available for use while following 
the Tor practice of maintaining a long-term fixed set of entry 
guards into the network. These limits would require reconsid- 
ering the already complex set of tradeoffs in the design of the 
mechanisms for selecting and updating the set of entry guards 
used in Tor [16]; we note that the situation is made worse by 
the recent move towards using a single entry guard instead of 

3 [13]. 

On the other hand, we find that many of these failures are 
a consequence of over-prediction, as we are often able to find 
suitable non-vulnerable paths in our traceroute data set despite 
covering only a fraction of the Tor relays. Our work suggests 
that a defense based on proactive path measurement, rather 
than AS path models, is likely to be more practical and offer 
better security guarantees. 

2 Background 

2.1 Tor 

Tor is a popular system for anonymous communication on- 
line [14]. Tor consists of a network of volunteer relays that 
form an overlay network and forward traffic sent by users run- 
ning Tor clients. In February 2015, it contained approximately 
7 000 relays and transferred around 70 Gbps of data for a user 
population estimated at over 2 000 000. 2 

Tor uses onion routing to achieve anonymity. A client sets 
up a connection to a destination by choosing a sequence of 
three relays, conventionally called guard, middle, and exit, and 
establishing a circuit through the sequence. The client encrypts 
a message once for each circuit relay (a process called onion 
encryption), sends it through the circuit, and each relay re- 
moves one layer of encryption before forwarding. The final 
relay sends unencrypted messages to the destination. The re- 
verse process happens for messages from the destination to the 


client. As a result of this process, the client identity is only di- 
rectly observable in traffic between the client and the guard 
relay, and the destination identity is only directly observable 
in traffic between the exit relay and the destination. 

In order to be real-time and efficient, Tor does not mix, 
pad, or delay traffic. Therefore, it is vulnerable to attacks based 
on traffic analysis. For example, an adversary that can ob- 
serve a circuit between the client and guard and also between 
the exit and destination can correlate the traffic patterns and 
deanonymize the connection [8]. Thus entities that can observe 
parts the underlying network infrastructure, such as Internet 
Service Providers or Internet Exchanges, are a serious threat 
to Tor. Previous work has shown that individual autonomous 
systems and Internet exchanges are in fact frequently in a po- 
sition to break Tor’s security [15, 17, 22, 23, 30]. However, 
almost all of this analysis uses heuristic route-inference tech- 
niques whose accuracy may not be satisfactory. Murdoch and 
Zielinski [30] do study Tor security against IXes using tracer- 
outes from Tor relays, but the traceroutes are performed from 
the UK only, and the analysis does not consider whether IX 
adversaries can be avoided during path selection. 

2.2 Internet routing 

Internet routing at the highest level is performed among 
autonomous systems using the Border Gateway Protocol 
(BGP) [32]. An AS is a network with an opaque internal 
routing policy (e.g., using OSPF [29], IS-IS [9], RIP [27], or 
iBGP [32]) that routes traffic to and from other networks. BGP 
is a path-vector routing protocol since neighboring networks 
advertise the whole AS path that they will use to send traf- 
fic to a given destination. A path is advertised for an IP prefix 
and represents the path used for all IP addresses sharing that 
prefix. Path-vector routing enables each AS to make complex 
routing decisions based on factors such as individual contracts 
with other ASes. 

Understanding the behavior of such complex routing poli- 
cies on the Internet is a challenging problem. Routers just 
propagate the routes that they provide for a given neighbor 
to use, and so different Internet vantage points reveal dif- 
ferent subsets of global routing behavior. Sources of rout- 
ing data include the Route Views Project, 3 which provides 
BGP routing information from many large ASes, and CAIDA 
Archipelago, 4 which provides and analyzes traceroute data 
from three teams of 17-18 monitors distributed worldwide. 
Gao describes how to use such data to infer AS-level Internet 


1 TorPS: http://torps.github.io/ 3 http://www.routeviews.org/ 

2 https://metrics.torproject.org/ 4 http://www.caida.org/projects/ark/ 
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routes [18]. Gao’s method uses heuristics to classify the ob- 
served connections between ASes by their economic relation- 
ship (viz. customer-to-provider, provider-to-customer, peer-to- 
peer, or sibling). Shortest-path valley-free routing is used to 
infer the route between two hosts. Valley-free routing verifies 
paths have all costly customer-to-provider links first with an 
optional sibling or peer-to-peer link followed by only preferred 
provider-to-customer links on the path. Qiu and Gao improve 
the accuracy of this technique by incorporating the observed 
advertised BGP paths [31]. In addition, they describe how to 
infer a set of possible paths rather than just one. Their results 
show that these techniques can infer the exact correct AS path 
for 60% of evaluation ASes; furthermore, the exact path is 
found within the top 5 predicted possible paths for 83% ASes 
and within the top 14 paths for 86% ASes. 

Many links between ASes occur at Internet exchanges. 
These are facilities that provide space and infrastructure for 
ASes to locate routers and establish connections. Ager et 
al. [4] describe how the largest IXes may provide links among 
hundreds of ASes and carry petabytes of traffic per day. Au- 
gustin et al. [7] describe how IXes on Internet routes can be 
detected using traceroutes and an index of known IXes and 
their IP prefixes. They identify 44000 peering relationships 
between ASes at IXes. Each peering between two ASes indi- 
cates that some traceroute passed directly from one AS to an- 
other through an IX. Discovering such links can improve the 
accuracy of AS path inference techniques. However, as we will 
observe, it doesn’t discern among different router-level paths 
taken between the same two ASes, which may pass through 
different IXes. 

2.3 Traceroute measurement 

The traceroute tool is extraordinarily useful in measuring rout- 
ing behavior on the Internet. The basic algorithm iteratively 
issues UDP packets with unique ports and an increasing time- 
to-live (TTL) value. Then for any ICMP Time Exceeded re- 
sponse it uses the contained UDP port number to identify the 
TTL value used and infers that the source IP address is lo- 
cated at that path position. There are many variations of the 
basic algorithm [26] which provide different levels of success 
depending on the traffic engineering (e.g., filtering and load 
balancing) that occurs en route. 

In addition to such problems with traceroute itself, it is 
not always straightforward to make inferences about Internet 
paths from a traceroute. For example, Mao et al. [28] describe 
the difficulties of inferring an AS-level path from traceroutes, 
which include that different iterations of a single traceroute 
might take different paths, that reported IP addresses may be 
from a network interface other than the one that actually re- 


ceived it, and that mapping from IP address to AS number is 
non-trivial due to inaccurate WHOIS information. Augustin et 
al. [7] discuss similar issues in inferring the presence of IXes 
from traceroutes. 

Nevertheless, traceroutes do provide a generally accurate 
picture of how packets are actually routed at the AS level. Re- 
search on AS-level routing rarely uses any real ground truth 
data because routing involves the proprietary information of 
many parties. Instead, traceroutes and advertised BGP paths 
are the most frequently used sources of data (e.g., [28, 31, 36]), 
although each has inaccuracies. A thorough comparison of 
these data [28] showed that among completed traceroutes (the 
type that we consider), approximately 90% of their AS paths 
matched the advertised BGP paths exactly. 

Traceroutes serve as an important comparison point to 
AS-level path predictions. These inferred AS paths are much 
less consistent with advertised BGP paths, and in this paper, it 
is the inferred paths that we are trying to evaluate. Only 60% 
of AS paths inferred using the Qiu-Gao algorithm have an ex- 
act match with advertised BGP paths on average [31]. Indeed. 
Qiu and Gao justify their inference method over using tracer- 
outes only because “traceroute requires the access to source 
machines and is resource consuming”. 

Moreover, the mismatches that do exist between tracer- 
outes and advertised BGP paths often favor traceroutes for Tor 
security analysis. Mao et al. [28] show that advertised paths 
miss exchange ASes, sibling ASes, and tail ASes. These ASes 
should be included when considering Tor security, and such 
mismatches are found in 1-3% of the completed paths they 
compare between traceroute AS paths and advertised BGP 
paths. 

For IXP inference, traceroutes are the main data used 
in the literature (e.g., [7, 30]). Indeed, the IXP inferences 
methodology that we apply uses traceroute data as a primary 
data source. 

3 Mapping Network Adversaries 

3.1 Measuring Internet Paths 

3.1.1 Generating Traceroutes 

Our measurement study consists of running traceroutes from 
Tor relays to various destinations in the Internet. We use the 
scamper 5 network tool, which probes multiple destinations in 
parallel, and uses techniques to accurately discover the Inter- 


5 http://www.caida.org/tools/measurement/scamper/ 
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net path traversed by packets in the presence of multi-path load 
balancing [6, 24]. 

For our measurements, we extracted the set of advertised 
destination IP prefixes from the September 2013 Routing In- 
formation Bases (RIBs) of the Route Views routers. Each 
relay running the measurements picks a random IP address 
within each of the approximately 500K prefixes and performs 
a traceroute to that destination. We also collected traceroutes 
to the Tor relays themselves as well as a scan of all /24 IPv4 
subnets, but this data was not used for the analysis in this pa- 
per. We focus on the advertised prefixes to make the analysis 
more tractable. We expect addresses within a prefix to use the 
same or similar routes, and our analysis of CAIDA’s tracer- 
outes to all /24 IPv4 subnets [3] found that 81% of the time 
traceroutes destined to the same routable prefix traversed the 
same set of ASes. Our measurement scripts are available for 
public review. 6 

3.1.2 Processing Traceroutes 

We next process the traceroutes to determine which ASes and 
IXes an Internet path has traversed. First, we filter out tracer- 
outes that do not successfully reach the destination. Note that 
because we use randomized destinations, in many cases the 
destination may not exist or may be down; indeed, only a small 
fraction (8%) of probes reaches their target. However, 49% 
reach the AS of the destination, as determined by the Max- 
Mind GeoIP database [2]. 

We further find that 94% of the traceroutes are missing 
some hops from the path. In some cases, we believe missing 
paths are caused by routers close to the probe source rate lim- 
iting their ICMP responses. To address this, we perform route 
stitching , where gaps in a traceroute are filled by path seg- 
ments observed in other traceroutes. For example, if we see a 
path “A B C D E” and another path "A B * D F,” where 
denotes a missing hop, we can repair the second path by infer- 
ring that the third hop must have also been C in this case. To 
minimize inaccuracies introduced by this repair mechanism, 
we only consider path segments that originate from the same 
host, and which are contained within the same batch of 64K 
traceroutes, which typically occur within an hour or two of 
each other. We validated this approach on complete paths and 
found that stitching would have given us the correct AS path 
result 96% of the time. 

We then compute the ASes corresponding to each IP in 
the path using the GeoIP database. Similar to Mao et al. [28], 
we consider the corresponding AS path complete if the tracer- 


6 https://bitbucket.org/anupam_das/traceroute-from-tor-relays 


oute reached the AS of the destination and there are no miss- 
ing hops in the path on the boundary between ASes. For ex- 
ample, an AS path “AS1 AS1 * AS1 AS2 AS3” is consid- 
ered complete, because the missing hop is contained entirely 
within AS1, whereas “AS1 AS1 * AS2 AS3” is considered in- 
complete. Overall, 28% of the traceroutes yield a complete AS 
path. We discard the other traceroutes from our analysis. We 
also identify an IX as on the path if the path contains an IP 
address from the list of known IP addresses of IX points as 
outlined in the following section. 

3.2 Inferring Path ASes and IXes 

We are interested in comparing the AS and IX adversaries 
identified from traceroute data compared to AS and IX adver- 
saries inferred from AS maps which are much easier to attain 
and maintain. We predict AS paths from source to destination 
using Gao’s algorithm [18] to classify relationships and Qiu 
and Gao’s algorithm [31] to infer the top k paths (for k = 1 
to 5). While advances have been made in classifying AS link 
relationships [25], we find that, when available, Qiu and Gao’s 
method of matching RIB paths is more accurate than using 
graph based methods based solely on AS relationships [23]. 
It is known that AS relationships are difficult to classify es- 
pecially at the highly interconnected core of the AS graph. 
Violations in the valley-free principle from advertised routes 
often indicate erroneous AS relationship classification espe- 
cially through top-tier ASes. Therefore Qiu and Gao’s method 
of prepending advertised routes to complete paths yields accu- 
rate results even with incorrectly classified AS relationships at 
the core of the Internet. Since the prepended hops are almost 
entirely easily classified customer-to-provider hops at the bot- 
tom of the AS graph, improving the AS relationship classifi- 
cation of the top-level ASes does little to improve overall AS 
path prediction accuracy. 

To predict the presence of IXes, we recreate the work of 
Augustin et al.[7]. We scraped Packet Clearing House' and 
the Peering Database 8 in February of 2014 creating a list of 
732 Internet exchange points and their known prefixes. We 
parsed over 200 million traceroutes from February and March 
2014 collected from both the CAIDA routed IPv4 database [3] 
and the iPlane project, and identified IXes in the traceroutes 
using the list of IXes and IP prefixes. This analysis revealed 
roughly 130000 Internet exchange point peerings between 
pairs of ASes. Our number is roughly twice the number of 


7 http://www.pch.net 

8 https://www.peeringdb.com 

9 http ://iplane . c s . Washington . edu/ 



Defending Tor from Network Adversaries 


5 



Min 

Max 

Total 

Traces 

392334 

1 195577 

17233153 

IP Reached 

27254 

81 999 

1 183427 

AS Reached 

204836 

618 224 

8890142 

Repaired 

26375 

876 386 

9643679 

Whole IP Path 

0 

16 694 

253058 

Whole AS Path 

11 285 

397533 

5350713 

Probed Hops 

7005020 

20624 809 

297301 238 

Responsive Hops 

1594449 

7041 819 

109046956 

% Hops Responded 

19 

55 

37 

Inferred Paths 

10693 

220449 

4367097 


Table 1. Traceroute experiment statistics (28 hosts) 


links found by Augustin et al. in 2009, which is unsurprising 
considering the trend for ASes to peer at IX points. This IX in- 
ference technique thus produces a list of inferred IXes between 
AS pairs, where each entry in the list consists of a source AS, 
a destination AS, and the set of IXes that were ever observed 
in a traceroute from the source AS to the destination AS. We 
use the list to identify potential IX points on AS-level paths 
throughout our experiment. 


4 Measurement versus Inference 

We first investigate how closely ASes and IXes identified 
through inference correspond to ASes and IXes measured with 
traceroute. We conduct analysis on 17 million traceroute mea- 
surements obtained from 28 Tor relay servers from January 
19-26, 2014 as summarized in Table 1 Our 28 servers included 
many of the largest Tor relays and cover a portion of the Tor 
network which includes 23% of guard node capacity and 26% 
of exit node capacity. Thus, their measurements can give us 
good insight into how traffic is routed in and out of Tor. Of 
these 17 million traces, only about 1 million reached the target 
IP address with roughly 250 000 complete paths with no miss- 
ing IP hops. We find that roughly 9 million paths can have 
some hops filled in by using the repair techniques presented 
in Section 3. We map each IP address to AS numbers using 
the MaxMind GeoLite ASN database taken from January 15th 
2014 [2]. The AS-level paths are then parsed to remove rout- 
ing loops, duplicate hops, and missing hops directly preceded 
by and followed by the same AS. After processing, we obtain 
5.3 million complete AS-level routes. 

4.1 Identifying AS Adversaries 

We first investigate the accuracy of inferring ASes between an 
arbitrary source/destination AS compared to the ASes iden- 



Fig.l. CDF of Missing ASes over all Traces 


tified in our collected traceroutes. The analysis of path pre- 
diction accuracy is conducted on traceroutes collected during 
January 19-26, 2014 giving 5.3 million traces contain 450 000 
unique AS source and destination pairs. We divide the tracer- 
oute data into 24-hour windows. Routing table dumps are 
downloaded from each server from the Route Views project 
from the time closest to the 12th hour of the window. Each 
day window contains an average of 1 5 prefix table dumps with 
between four to six gigabytes of route information broadcasts. 
Using Qiu and Gao’s model we predict the top k = 5 paths for 
roughly 400 000 of these pairs with the rest failing due to either 
the source or destination AS missing from the Route-Views 
routing tables. The 400000 successful path inferences cover 
4.5 million of our 5.3 million traces with AS paths. We con- 
sider the inference identifying the correct path if it matches 
the AS path seen in the traceroute for any of the top k paths 
considered. 

Figure 1 is a CDF showing the number of ASes seen in the 
traceroute but missed by the top k predicted paths. Zero miss- 
ing ASes correspond with a correct path prediction for at least 
one of the k paths. Using only the top path from the prediction, 
yields roughly 20% prediction accuracy with a decreasing re- 
turn for higher levels of k and a maximum accuracy of 48% 
when considering the top 5 paths. This accuracy is far lower 
than the 83% accuracy for the top 5 paths attained by Qiu 
and Gao; however, their validation was conducted using Route 
Views data as the ground truth and not traceroute data [18]. We 
surmise the lower accuracy is due to a combination of known 
error sources both from the increase in prevalence of IX peer- 
ing [4] and inherent errors in traceroute measurements from 
actual AS-level paths [36]. We finally note that the overall ac- 
curacy of prediction is similar to our extensive analysis of ac- 
curacy against CAIDA traceroutes demonstrating that the Tor 
network would benefit from improvements to path prediction 
in the general case [23]. 
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Fig. 2. CDF of Missing IXes over all Traces Fig. 3. Observed Internet Exchange Points 



Source Hosts (ASes Left IXes Right) Source Hosts (ASes Left IXes Right) 


Fig. 4. Avg Missing ASes and IXes Per Host 


Fig. 5. Extra ASes and IXes Per Host 


4.2 Identifying IX Adversaries 

Given an AS path, we can identify the set of potential IXes 
that could occur on this path by considering which IXes can be 
used for each AS-AS hop, as discussed in Section 3.2. Figure 
2 compares the set of potential IXes for the top k predicted 
AS paths to the set to the IXes identified by IP address prefix 
in traceroutes. Once again, a value of zero indicates that all 
IXes have been identified in the inference. We find that the top 
path identifies roughly 40% of the IXes and the top five paths 
identify roughly 74% of the IXes. 

We expect traceroutes to provide a much more accurate 
picture of which IXes were involved on a path than AS path 
predictions. A pair of ASes will often have multiple peering 
points, depending on the geographic location the source and 
destination; as a result, only a fraction of traffic between the 
two ASes will use a given IX. In Figure 3, we compare the 
set of IXes on a traceroute to the predicted set of IXes that 
could be used at each AS-AS hop in the traceroute. We see 
that while most traceroutes do not traverse any IX, the AS-AS 
hops result in 3-8 potential IXes on average. This experiment 


demonstrates the limitations of using only AS-level informa- 
tion to infer IXes on a path. 

4.3 Choosing k Top Paths 

Choosing the k top paths to consider when predicting AS 
and IX points presents an important tradeoff between miss- 
ing ASes/IXes versus severely overstating the number of 
ASes/IXes on a given path. Figures 4 and 5 show the miss- 
ing AS/IXes and extra AS/IXes seen by the path prediction 
algorithms for the k top paths from k = 1 to 5. For ASes, we 
see diminishing returns for missing ASes for larger values of 
k with false positives increasing quickly for larger values of k. 
Overall, the average attainable missing AS accuracy is close to 
1 for the top path decreasing down to 0.6 for the top 5 paths. 

We compare the IXes found using vulnerable AS-AS 
hops from the inferred AS paths directly to the IXes identi- 
fied by prefix in the traceroutes. In general, very few IX points 
were seen in the traceroutes. In most hosts, IX identification is 
helped very little by increasing the top paths with the average 
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missing IX of about 0.2 per hop. This result is unsurprising 
because if there are no IX points in the traceroutes, then there 
can be no missing IXes in the inference. Unfortunately, the 
false positives for IX points are problematic with linearly in- 
creasing averages ranging from 10-25 for each of our hosts il- 
lustrating the need for better methods in identifying IX points. 

For AS adversaries, a k value of 1 or 2 seems most ap- 
propriate to identify most AS adversaries without causing too 
many false positives. Higher values of k give lower rates of 
return while causing a linear increase in false positives. Iden- 
tifying IX adversaries is much more problematic. Since the 
traceroutes identify very few IX adversaries to begin with, a k 
value of 1 appears to work well. The inaccuracy of the method 
can be seen in the false positives which also increase linearly 
with k but greatly over-predict the number of adversaries even 
with a k value of 1. The inaccuracy of AS and highly inac- 
curate IX prediction could potentially cause serious problems 
when designing a system of AS/IX independence in Tor. We 
analyze the effects of this inaccuracy in the following sections. 

5 AS and IX Adversaries in Tor 

Errors in path prediction call into question previous work that 
has used path prediction to both evaluate the security of Tor 
and propose changes to Tor’s path selection based on path pre- 
dictions. Understanding the effect of the errors uncovered by 
our traceroute measurements requires taking into account the 
specific properties of Tor. 

We accomplish such an analysis by simulating the Tor 
protocol and network at a high level. We use and adapt the Tor 
Path Simulator (TorPS) 10 to perform Monte Carlo simulation 
of Tor path selection by a single client. By using the hourly 
network “consensuses” and server “descriptors” archived by 
CollecTor, 11 we can recreate the state of the Tor network over 
the period we run our simulations, including features such as 
the number, bandwidths, and addresses of Tor relays available 
in any given hour. We simulate “typical” user activity using the 
recorded volunteer trace of Johnson et al. [22], which includes 
user behaviors such as web search and webmail on a plausible 
daily schedule. Over the course of a week, this schedule re- 
sults in 2632 streams (i.e., TCP connections over Tor), each to 
one of 205 distinct IP addresses occupying 168 unique ASes, 
on either port 80 or 443. Finally, we run simulations using the 
most common client ASes as measured by Juen in Fall 2011 
[23], 


10 https://github.com/torps 

11 https://collector.torproject.org/ 


Simulating path selection in Tor allows us to estimate 
which Internet hosts a user’s traffic is likely to flow over in 
a typical use case. Then we can use our traceroute data to de- 
termine the specific Internet routes that traffic would take and 
evaluate the resulting security. Specifically, we provide new 
estimates for how often a Tor stream flows through the same 
AS or IX between the client and the guard and between the 
destination and the exit. When this happens, the AS or IX is in 
a position to deanonymize the client. This issue was previously 
studied only using inferred AS paths and IX sets. 

In addition, using this method we provide an improved 
evaluation of the repeatedly-proposed [15, 17] modification 
to Tor to use AS/IX path inference to choose relays that 
are path independent , that is, that result in paths for which 
the same AS or IX cannot observe both the client and the 
destination. We modify TorPS to produce the first simulator 
for path-independent Tor (to our knowledge) that reproduces 
how path selection occurs over time, including features that 
have the potential to significantly alter the effectiveness of the 
path-independence requirement, such as guard lists and circuit 
reuse. We apply our traceroute measurements to the results of 
these simulations to evaluate the effectiveness of path infer- 
ence as a basis for path independence in Tor. 

5.1 Vanilla Tor 

All of our Tor simulations run over the week of January 19- 
25, 2014. When producing and analyzing these simulations, 
we generally use the same data sources and inference algo- 
rithms as in Section 3.2 to produce AS path inferences, AS- 
level IX inferences, and traceroute IX inferences. We use daily 
AS-path inferences conducted from January 19-25, 2014 com- 
pared to the traces from each day of the simulation week. We 
also use the daily Route Views prefix-to-AS datasets to de- 
termine routed prefixes and to map IPs to ASes. When an- 
alyzing our simulations using traceroutes, we use all of the 
traceroute measurements gathered during the week of January 
19-25, 2014. In our analysis we match a traceroute to a pair 
of communicating hosts in Tor if the source prefix and desti- 
nation prefix match. 

We first conduct a simulation using the default Tor path 
selection algorithm. We consider clients coming from 50 of the 
top 200 most common client ASes (as measured by Juen [23]). 
Each AS advertises hundreds of possible prefixes in the Route 
Views data. We select at random twenty prefixes per client AS 
for a total of 1 000 client prefixes for the simulations. The sim- 
ulator runs 10000 repetitions of simulated traffic using input 
data from the week of January 19th-25th 2014 yielding over 
24 million traffic streams per client prefix with 18.2 million 
unique streams. We identify the presence of AS and IX adver- 
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Fig. 6. Directional AS Compromises for k Top Paths Fig. 7. Directional IX Compromises for k Top Paths 


saries using AS-path inference with the top k paths (fc= 1 to 
5) and our collected traceroute data from January 19-January 
25. In total, we have inferred path information for an average 
of 18 million streams per client prefix (18 billion total) and 
traceroute information for an average of 112000 streams per 
client prefix (14 million total). 

5.1.1 Inferred Adversaries 

We first look at the percentage of simulated Tor paths which 
have the same AS or IX on both the client-to-guard path and 
the exit-to-destination path using only the inferred paths. We 
look at the percentage of compromised paths considering the 
set of ASes and IXes in the forward direction (client to desti- 
nation), the reverse direction, and the forward and reverse di- 
rections combined. We also consider the direction of streams 
leaving Tor; i.e., from the guard to the client and from the exit 
to the destination. This direction matches the direction of our 
traceroute measurements from Tor relays to external IP pre- 
fixes and allows us to compare the predicted paths with tracer- 
oute data, without errors being introduced due to asymmetric 
Internet paths that traverse a different set of ASes and IXes. 
We call this path the Tor path. 

Figures 6 and 7 show the percentage of inferred ASes and 
IXes for each direction and top k paths averaged over all 18 
billion inferred streams. Considering only the top path, we see 
11.6%, 11.6%, 12.1% and 21.6% AS compromise rates for the 
forward, reverse. Tor, and forward/reverse paths respectively. 
We see a significant increase in AS adversaries when consid- 
ering more paths topping at 58.8%, 60.6%, 62.0%, and 71.8% 
when considering the top 5 paths for the forward, reverse, Tor 
and forward/reverse paths respectively. We notice little differ- 
ence between the compromise rates of the Tor paths versus 
the forward or reverse. As expected, the forward and reverse 


combined represents a higher inferred compromise rate since 
we consider two sets of ASes per path. The forward/reverse 
has roughly a 10% greater rate of compromise for the top path 
and roughly a 20% greater compromise rate when k is varied 
from 2 to 5. For the top path, the IX compromise rates were 
higher with 27.0%, 17.5%, 29.3% and 43.5% for the forward, 
reverse, Tor and forward/reverse paths respectively. These in- 
creased rapidly at first leveling off to 72.3%, 72.5%, 74.7% 
and 77.2% for the top 5 paths. Once again, the forward/reverse 
paths contain more potential IX adversaries due to consider- 
ing more paths. There is little significant difference between 
the compromise rates of the forward paths and the Tor paths. 
We also note that the number of inferred potential adversaries 
greatly increases when considering a higher number of top k 
paths. 

5.1.2 Measured and Inferred Adversaries 

We now compare the inferred AS and IX adversaries to the 
AS and IX adversaries actually present in the traceroute mea- 
surements for all of our simulated Tor circuits. To make the 
comparison fair, we only consider the traceroutes and inferred 
paths going from the Tor guard to the client and from the 
Tor exit to the destination. As seen in the last section, the in- 
ferred paths using the Tor direction contains similar compro- 
mise rates to the paths in the forward and reverse directions. 
We thus consider the subset of paths for which we have both 
AS inferences and measured traceroutes in the Tor direction 
giving us a set of 141 million streams from 1000 unique client 
prefixes. 

Figure 8 shows the CDF of streams compromised in the 
traceroute measurements compared to the inferred for various 
k top paths. Interestingly, the AS compromise rates for the top 
path is similar to the actual compromise rates seen in the mea- 
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Fig. 8. AS Compromises Measured and Inferred 


Fig. 9. IX Compromises Measured and Inferred 



Fig. 10. AS Compromise Agreement 


surements. Considering the top 2 paths more than doubles the 
inferred compromise rate with lower increases with increas- 
ing k topping out at a little under a 50% compromise rate for 
half the paths. Figure 9 shows the CDF of streams compro- 
mised with measured versus inferred IX adversaries. The ac- 
tual percentage of paths with an IX adversary identified by pre- 
fix is much smaller than the inferred value with only 0.8% of 
streams seeing an IX adversary on both the client to guard and 
exit to destination simultaneously. The inferred paths greatly 
over exaggerate the threat with the top path giving an aver- 
age of 40% compromise rate and the top 5 five paths giving 
an average of nearly 60% compromise rate. Thus, the method 
of inferring IX adversaries greatly over predicts the number of 
actual IXes seen when measuring paths using traceroute. 

We now consider the differences between adversaries seen 
using the inference methods versus the adversaries seen in the 
traceroutes. We consider adversaries seen in the inferred set 
but not in the measured set as false positives and adversaries 
seen in the measurements but not the inferred set false nega- 



Fig. 11. AS Compromise False Positives 


tives. While the traceroute measurement can contain errors and 
does not constitute perfect ground truth, we consider it more 
reliable than the inferred methods. In the following analysis 
all percentages are the percentage of paths compared to the 
set of all 141 million simulated paths for which we have both 
inferred and measured data. 

Figures 10 through 15 show the CDFs for the percentage 
of streams compromised per prefix for both ASes and IXes 
that both methods agree, the inference indicates an adversary 
while the measurement does not (false positives) and the mea- 
surement indicates an adversary while the inference does not 
(false negative). We see that while the percentage of overall AS 
compromises for the top path was similar in the last section, 
they do not agree on which AS is causing the compromise. In 
our measurements, we find roughly 10.9% of streams could 
contain a potential AS adversary. Unfortunately, the measured 
and inferred AS only agree for an average of 2.6% AS com- 
promises when considering the top path. Increasing to the top 
two paths improves agreement by a factor of 2 to 5.1% aver- 
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Fig. 12. AS Compromise False Negatives 



Fig. 14. IX Compromise False Positives 


age agreement with higher k values giving diminishing returns 
after that. Unfortunately, increasing k from 1 to 2 significantly 
increases the average number of false positives from 8.5% to 
22.6% with a more linear increase with k up to 41.1% with 
k = 5. For false negatives, the greatest drop once again oc- 
curs when going from the top paths to the top two paths from 
8.4% to 5.8% with diminishing returns with increasing k and a 
minimum of 4.3% average with k = 5. Overall, the AS infer- 
ence with the top 2 paths catch a little less than half the mea- 
sured AS adversaries catching 5.1% and missing 5.8% of the 
actually measured 10.9% of measured AS adversaries Unfor- 
tunately, it still pre-emptively would eliminate 22.6% of paths 
which had no measured adversary. 

The agreement with the IX adversaries is even lower. Both 
methods agree on only 0.36% of paths having an IX adversary 
considering the top path increasing to 0.44% for the top two 
paths up to 0.47% for the top 5 paths. The false positive rate is 
unacceptably high with 34.5% for the top path and 48.1% for 
the top 2 paths up to 55.7% for the top 5 paths. The false nega- 
tive rate is 0.54% for the top path lowering to 0.45% for the top 



Fig. 13. IX Compromise Agreement 



Fig. 15. IX Compromise False Negatives 


two paths down to .42% for the top five paths. Thus eliminat- 
ing paths based on the inference with the top path would catch 
40.0% of the observed IX adversaries (0.9% of total paths) 
while eliminating 34.5% of paths unnecessarily. Using the top 
2 paths would catch 48.9% of observed IX adversaries while 
eliminating 48.1% of paths unnecessarily. Thus, roughly half 
of all potential paths would be eliminated to catch the 0.9% of 
total paths with an observed IX adversary. These results moti- 
vate the need for better methods of inferring IX adversaries in 
order to effectively mitigate the threat to the Tor system. 

5.2 Path-independent Tor 

In order to avoid deanonymization by an AS or IX, Tor clients 
could attempt to choose Tor relays such that the forward and 
reverse paths between the client and guard are independent of 
the forward and reverse paths between the exit and destina- 
tion, in terms of the ASes and IXes that appear. However, it 
is non-trivial to design a system that allows the client to do 
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(a) Undetected compromise among streams that 
successfuily connected 



Top 1 
Path 

Top 3 
Paths 

Mean fraction of streams 
that have traceroutes 

0.0037 

0.0026 

Mean fraction of streams 
with traceroutes that 
are w/o independence 

0.0043 

0.0014 

Min prob of at least one 
stream w/o independence 

0.018 

0 

Mean prob of at least one 
stream w/o independence 

0.11 

0.053 

Max prob of at least one 
stream w/o independence 

0.22 

0.18 


(b) Unnecessary failure among streams without any 
independent path 



Top 1 
Path 

Top 3 
Paths 

Mean fraction of all 
streams that fail due to 
independence constraint 

0.051 

0.060 

Mean fraction of streams 
that have traceroutes 

0.19 

0.19 

Mean fraction of streams 
w / traceroutes that have 
an independent path 

0.96 

0.95 

Min prob of at least 
one stream failure 

1 

1 


Table 2. Path-independent Tor traceroute analysis over 1 89 top client ASes 


so, because he must preserve his anonymity while making this 
decision, and Tor should be usable even by users with little 
bandwidth and low-powered devices. 

As we discuss in Section 6, Edman and Syverson [15] pre- 
sented the first detailed proposal for solving this problem with 
a system that provides enough data for clients to build an AS 
Internet map on which to run AS-path inference. They pro- 
pose a slightly less accurate algorithm than Qiu and Gao’s for 
efficiency. Juen added IX inference to this idea [23]. None of 
the previous work explains how AS/IX-independent circuits 
should be created over time, and thus does not consider how 
path independence interacts with Tor guards or circuit reuse. 
Tor guards in particular are a key Tor feature that defends 
against malicious observation and deanonymization [16, 22]. 
Thus the prior work does not give a clear idea of how well 
AS/IX-independent path selection would work even if path- 
inference techniques were very accurate. 

The inaccuracy of path-inference techniques is likely to 
negatively impact AS/IX-independent path selection in at least 
two ways: (i) missing an AS or IX on a path could cause the 
user to create a path vulnerable to deanonymization, and (ii) 
incorrectly believing that an AS or IX exists on a path could 
leave the user with few or no ways to connect to the destina- 
tion. These problems are placed in tension by the inference 
methodology because false negatives make (i) worse and false 
positives make (ii) worse. For example, as the number k of 
top paths used in inference increases, false negatives should 
go down but false positives should go up. Moreover, the infer- 
ence needs to have few false negatives on all paths collectively, 
or a user will face an increasing risk of deanonymization as he 
visits new destinations and is forced by network churn to use 
different relays. Similarly, an increasing number of false posi- 
tives over time could force the user to choose between not con- 


necting to certain destinations and exposing himself to more 
and more potentially-malicious guards. 

We investigate the suitability of path inference as a ba- 
sis for AS/IX-independent path selection using path simula- 
tion and our traceroute data, similar to how they were used 
in Section 5.1 to explore vanilla Tor security. As a byproduct 
of our research, we also expose a security-performance trade- 
off inherent in the path-independent approach and reveal some 
opportunities to fill in and improve past proposals. 

5.2.1 Methodology 

In order to evaluate AS/IX-independent path selection via sim- 
ulation, we must fill in the details of the algorithm sketched out 
by prior work. We adapt the existing Tor path-selection algo- 
rithm for this purpose. We require clients to have at least 3 
guards in their guard list and to have at least 2 guards active 
with AS/IX path information with the client when creating a 
new circuit. Upon receiving a stream request, existing circuits 
are examined for suitability, including path independence. If 
none is suitable, then circuit-creation is initiated by choosing 
an existing guard, then an exit, and then a middle. If a path- 
independent exit cannot be found for a given guard, the other 
guards are considered, and so on. If no exit is found for any 
current guard, then the circuit creation fails. We note that to 
enable a direct comparison with our traceroute data, our sim- 
ulator only compares the inferred AS/IX path from the guard 
to the client and from the exit to the destination when deter- 
mining path independence (i.e. only reverse entry and forward 
exit paths are used). 

We generally follow the same experimental methodology 
as that followed in Section 5.1. We will not be estimating full 
distributions, and thus we use only 500 samples per client AS, 
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but we run experiments with the 189 of the top 200 client ASes 
that were in our AS-level routing map. 

In our experimental analysis, we are able to use traceroute 
data to identify false negatives and false positives. 50 client 
IPs are chosen randomly from the set of the initial IPs in each 
prefix advertised by the client’s AS (according to the Route- 
Views prefix-to-AS file that appears most recently before that 
stream occurred). To identify false negatives, we test streams 
that were successfully assigned to a circuit by looking for a 
traceroute from the guard’s routing prefix to the client’s and 
from the exit’s prefix to the destination’s. When both tracer- 
outes are found, we look for ASes or IXes that appear in com- 
mon. To identify false positives, we test streams that failed 
to connect by looking for a traceroute from any of the active 
guards at that time to the client and from any potential exit to 
the destination. If such a pair exists, we look for the lack of 
any AS or IX in common. 

5.2.2 Results 

Table la provides estimates for the effects of path inference er- 
rors on the security of path-independent Tor. The min, mean, 
and max values are taken over 188 top client ASes (we fur- 
ther excluded one that didn’t advertise any prefixes during the 
simulation week). Our traceroute data provided path informa- 
tion (i.e. matched both guard-client and exit-destination host- 
prefix pairs in the direction out from Tor) for 0.26-0.38% of 
the simulations’ streams (depending on whether the top 1 or 
the top 3 inferred paths were used to determine independence). 
Of these, between 0.14% and 0.43% were revealed to violate 
path independence. While compromise rates may seem accept- 
ably low, even one Tor deanonymization is potentially serious, 
and over the course of the simulated week, a client had on av- 
erage between a 5.3% and a 11% probability of experiencing 
at least one path-independence violation. In the most unlucky 
client ASes, path independence was violated with a probability 
as high as 1 8-2 1 % ! 

Table lb shows that this insecurity cannot simply be han- 
dled by increasing the number of top possible paths from 
which the inferred ASes and IXes are taken. It reveals that by 
increasing the number of top paths used in inference from 1 to 
3, the fraction of streams for which no path-independent Tor 
circuit could be created increased from 5.1% to 6%. For these 
streams, no AS/IX path-independent exit could be found using 
any of the client’s guards. Note that a stream failure of any kind 
never occurred in simulation with Tor’s default path selection, 
because Tor doesn’t require path independence, and many ex- 
its are available for each stream in the user trace. Such failures 
are particularly bad because the stream will not succeed until 
the Tor relay population changes sufficiently, a process which 


could take days or weeks. Thus even a 5. 1-6.0% failure rate 
has a severely deleterious effect on Tor’s suitability for general 
Internet use. Moreover, we can see that every simulated client 
experienced at least one stream failure (i.e. the estimated fail- 
ure probability is 1.0 for all client ASes). 

However, our traceroute measurements offer the hope- 
ful news for this problem that most of these stream failures 
may have been unnecessary. We were able to match a tracer- 
oute guard-to-client and exit-to-destination for 19% of failed 
streams. Our coverage of failed streams is so much higher 
than for connected streams because we look for a traceroute 
from any active guard of the client at the time and from any 
exit that could be chosen with that guard and for that destina- 
tion (ignoring only the path-independence constraint). Among 
streams for which we were able to match at least one pair of 
traceroutes, 95-96% had a guard and exit that the traceroutes 
show would have been AS/IX-independent. In fact, this high 
false-positive rate is not just a result of having many exit paths 
about which to be be incorrect, an average of about 80% of all 
guard and exit pairs with matched outgoing traceroutes were 
observed to be path-independent for both experiments. 

5.2.3 Discussion 

Our evaluation of AS/IX-independent path selection is not in- 
tended to make any definitive claims about its usefulness. In- 
stead, we attempt to make reasonable choices about the al- 
gorithm details in order to get some idea of how well it might 
work overall and especially in conjunction with path-inference 
techniques. Indeed, there are many plausible improvements to 
the algorithm we have evaluated, such as choosing guards with 
different network locations to minimize the chance of stream 
failure, or perhaps allowing streams to use potentially unsafe 
circuits but limiting the number of potential observing ASes 
and IXes. Designing network-aware path-selection algorithms 
for Tor remains an open challenge with unsolved vulnerabil- 
ities such as adversarial relay placement [5] and path finger- 
printing [12, 21]. 

6 Related Work 

The threat to the Tor network for ASes to correlate traffic 
was first investigated by Feamster and Dingledine [17]. Us- 
ing a simplified AS model with shortest paths they determined 
roughly 10-30% of circuits could be vulnerable to an AS ad- 
versary. Edmond and Syverson furthered the understanding 
of AS adversaries against the Tor network [15]. Using Qiu 
and Gao’s AS path prediction model and an updated model 
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Method 

Forward 

Reverse 

Both 

Feamster and Dingledine [17] 

17.7% 

16.1% 

NA 

Edmond and Syverson [15] 

10.9% 

11.1% 

17.8% 

Wacek et al. [35] 

NA 

NA 

27.4% 

Juen [23] 

7.1% 

7.2% 

11.2% 

Current Work 

11.6% 

12.1% 

21 .6% 


Table 3. Inferred AS Compromise Comparison (Top Path) 


for the Tor network, they determined each circuit had an 1 1- 
18% chance that some AS adversary could compromise the 
circuit. They also presented a technique to choose paths with- 
out AS adversaries by using "Snapshots” of the AS topology. 
Akhoondi et al. presented LastTor, an optimization to Tor path 
selection to minimize latency by considering geographic loca- 
tion [5]. They propose using the set of k top most likely AS 
paths to eliminate AS adversaries. They do not report overall 
chances for any given AS to compromise a circuit. Recently, 
Wacek et al. studied Tor’s path selection algorithm [35]. They 
find that using the iPlane’s Nano AS map. Tor paths have a 
27.39% chance to be vulnerable to an AS adversary. Vanbever 
et al. consider the threat of AS adversaries that actively ma- 
nipulate BGP routing, showing that they can dramatically in- 
crease the chances of deanonymizing a Tor user over a period 
of time [34], 

The danger of IX adversaries was first demonstrated by 
Murdoch and Zielinski who demonstrated that an IX could use 
a Bayesian approach to sample traffic and correlate Tor flows 
across ASes peering at the IX [30]. Juen further investigated 
the threat of AS and IX adversaries using Qiu and Gao’s AS 
model and the top k paths estimating the chance of any AS be- 
ing able to compromise the circuit ranging from 10% to 42% 
[23]. He reports the chance of an IX compromise to be be- 
tween 1% and 20%. Johnson et al. investigate the amount of 
time required for an AS, IX, or IX organization to compro- 
mise a circuit using Torps to simulate realistic Tor traffic [22]. 
They only consider the top 3 AS and IX adversaries as seen 
in their inferred data and report the overall chance of an AS 
compromise to be 1.6% for their top 3 ASes. 

We now compare our results with the compromise rates 
of Tor streams against previous work. We calculate the per- 
centage of Tor streams which contain an AS on the client to 
guard and exit to destination paths in the forward, reverse and 
forward and reverse directions for each of our 1 8 billion calcu- 
lated streams. We then compare the results of our directional 
AS path inferences directly to the results from previous work 
and confirm that our AS path inferences give similar results 
for the top AS path as shown in Table 3. We find our results 
most closely correlate with the work of Edmond and Syverson 
with Juen’s results being lower than the average and Wacek et 


al. being much higher. We find this result unsurprising since 
we also use the AS inference algorithm from Qiu and Gao. 
We surmise that the AS inference from iPlanes produce higher 
compromise estimates as seen in Feamster and Dingledine and 
Wacek et al. Juen also uses a modified AS mapping algorithm 
which may produce lower compromise rates. 

Johnson et al. investigated the time expected before a user 
would most likely use a stream compromised by an AS or IX 
adversary. Since we only have inferred and traceroute data for 
0.8% of streams, it is not possible to directly compare the time 
to compromise for our clients. Instead, we investigate the abil- 
ity of the top 3 AS and IX adversaries to compromise a Tor 
stream. Once again, we only consider streams which we have 
both inferred and traceroute data. The ASes and IXes with the 
highest probability to compromise a Tor stream are shown in 
Table 4. Interestingly, we observe the same set of three top AS 
adversaries but in a slightly different order. We also see the 
top IX adversary as number 2 for compromise rates. We see a 
similar 0.5% rate of AS streams compromised by our top AS 
adversaries. We see a higher rate of overall streams compro- 
mised by our top IX adversary at 0.4% compared to roughly 
0.1% in Johnson’s work. The overall compromise rates of all 
streams using the traceroute measurements is much more in- 
teresting. The traceroute measurements never see AS6939, the 
top compromising AS in the inferences. On the other hand, 
the traceroute measurements indicate AS 1299 can compro- 
mise the same percentage of streams as indicated in the in- 
ference. We see drops for both top IX compromise rates for 
the measurements versus the inferences. Once again, Equinix 
Ashburn is not observed in the traceroute measurements. 

Overall, we expect a drop in the actual ability of an IX 
point to compromise a Tor stream primarily due to the ex- 
tremely high false inference of IX points. The difference be- 
tween AS compromise rates shows that the path inference was 
always wrong in identifying AS6939 when compared to tracer- 
outes; however, AS 1299 was seen in the traceroutes at simi- 
lar rates as predicted. Thus, the inference accuracy appears to 
vary greatly depending on which AS is being considered as an 
adversary. 

7 Limitations and Future Work 

The data in this study is limited in several ways. While our vol- 
unteer measuring relays covered roughly 25% of Tor selection 
probability at the AS level, it still only contains 28 hosts. In ad- 
dition. all path inferences were done on paths from Tor relays, 
leaving us without symmetric path information. Furthermore, 
we collected most of our data in the span of weeks, and so 
missed alternative routing paths and routing instabilities. We 
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AS 

Our Rank 

Johnson et al. Rank 

Johnson et al. Comp % 

Comp % 

TR Comp % 

AS6939 HURRICANE Electric 

1 

3 

0.6% 

0.4% 

0.0% 

AS3356 Level 3 Communications 

2 

1 

0.4% 

0.5% 

0.13% 

AS1299TeliaNet Global 

3 

2 

0.4% 

0.5% 

0.5 % 

IX 

Our Rank 

Johnson et al. Rank 

Johnson et al. Comp % 

Comp % 

TR Comp % 

LINX Juniper 

1 

NA 

NA 

0.4% 

0.05% 

DE-CIX Frankfurt 

2 

1 

0.1 % 

0.4% 

0.05% 

Equinix Ashburn 

3 

NA 

NA 

0.4% 

0.0% 


Table 4. Stream Compromise Rates for the Top 3 AS and IX Adversaries for our Work compared to Johnson et al. [22] 


also lack ground truth because of measurement weaknesses 
such as missing or incorrect traceroute hops, missing or stale 
IP prefix announcements from the public route collectors, and 
incomplete or incorrect IX prefix data. We look forward to the 
opportunity to expand network measurement in cooperation 
with Tor and using third-party vantage points such as Look- 
ing Glass servers. We also hope to make use of advances in 
measurement tools to advance this line of inquiry. 

A problem posed by our results is to design solutions for 
Tor to more accurately assess network routing and use that to 
improve security. One promising approach is for Tor to adopt 
the measurement techniques that we used in this study and 
regularly perform traceroute measurements from each of its 
relays. Our experience shows that it is feasible to do so and 
cover the IPv4 address space at the prefix and even /24 subnet 
level. 

Evaluating the effectiveness of using measurements to de- 
tect AS and IX adversaries requires an understanding of the 
characteristics of internet paths. It is important to understand 
how often internet paths between a given set of hosts change 
in order to update measurements and alert clients to potential 
adversaries. It is also important to understand what prefixes 
can be aggregated when measuring paths. Previous work has 
stated that between 66-83% of internet paths are stable over 
the course of a 24-hour period [37]. 

While our measurements were not designed to track paths 
over time, we do have enough measurements that we can ob- 
serve the stability of repeated measurements to the same desti- 
nation /24 prefix. Table 5 shows the number of pairs of paths, 
percentage of identical paths and average number of missed 
ASes and IXes on differing paths for various windows of time 
between measurement. While the numbers of collected tracer- 
outes are too small to make final conclusions, we do see only 
19.9% of paths stable in measurements taken within two hours. 
This result must be further investigated since the number of 
divergent paths contain both a time delay and a different des- 
tination IP address within the same /24. Thus, we have error 
both from differences in target addresses and potential routing 
changes between measurements. 


As expected, we do see lower rates of identical paths 
when increasing the time between measurements; however, 
we do not see much difference in the number of extra ASes 
and IXes introduced when measuring a different path. We can 
expect to have between one to two different ASes when con- 
ducting the second measurement and roughly 0.01 missed IX 
point. The relatively low number of measurements with identi- 
cal paths will require further study into path variability. Since 
these questions can only be answered by a larger set of mea- 
surements from Tor operators conducted over a longer period 
of time, we leave this larger, more ambitious study as impor- 
tant future work. However, we optimistically note that recent 
work has shown promise in predicting what subset of Internet 
paths change often and presented novel methods to estimate 
the rate of change to keep measurements current [10, 11, 20]. 
We believe such work shows the potential in a measurement 
based countermeasure to AS and IX adversaries, but leave the 
specifics of the design and validation to future work. 

Another remaining challenge is to move past the current 
focus on AS-level techniques and adversaries. As laggard et 
al. describe [19], an adversary may find it easier to control a 
group of IP routers running a certain version of software than 
to observe those in the same AS or IX. An adversary may also 
combine strategies and both observe the Internet at certain lo- 
cations and run relays in selected other locations. Evaluating 
the threat of more complicated and realistic network adver- 
saries will require both better adversary modeling and more 
detailed route inference techniques. 

8 Conclusions 

We have presented a measurement study to evaluate the suit- 
ability of Internet AS and IX path-prediction algorithms to as- 
sess and mitigate the threats from network-level adversaries to 
the Tor network. Using traceroute data from the volunteer op- 
erators of 28 Tor relays, we show that current techniques for 
inferring AS-level Internet paths and the IXes on them signifi- 
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Period 

Measurements 

% Identical 

Average Missed ASes 

Average Missed IXes 

2 Hours 

128 

19.9 

1.7 

0.01 

12 Hours 

474 

17.2 

1.6 

0.005 

1 Day 

826 

18.7 

1.7 

0.01 

3 Days 

2572 

16.6 

1.6 

0.01 

7 Days 

13340 

14.9 

1.6 

0.01 

28 Days 

19668 

10.1 

1.6 

0.007 


Table 5. Repeated Path Measurements over Time 


cantly overestimate number of ASes and IXes traversed by Tor 
traffic. 

To evaluate how our results affect the current and future 
security of Tor, we perform Monte Carlo simulations of Tor’s 
current path-selection algorithm and the AS/IX-independent 
path-selection algorithm proposed in the literature. When we 
examine the results, we see evidence that Tor is likely less vul- 
nerable to an AS or IX adversary than has been previously 
found. A direct comparison with a prior evaluation shows that 
it is likely to have overstated the risk of a single AS many times 
over and that of a single IX by an order of magnitude. 

We also find that the AS/IX-independent path-selection 
algorithm may still leave a significant chance for users to be 
deanonymized over time due to the errors in path prediction — 
we estimate a 5-11% risk in just one week when the claimed 
chance is 0%. Moreover, we find that this algorithm appears 
to force a tradeoff between connection failures and exposing 
users to potentially-malicious relays, even though in nearly all 
cases the failures could be avoided with better measurement. 

Our results suggest the importance of accurate measure- 
ment both for understanding Tor security and for improving 
it. 
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Appendix 

Details of Participating Tor Relays 

Traceroutes from our 28 participating Tor relays originated in 
14 different countries. Table 6 summarizes the guard and exit 
probabilities of the participating relays in the Tor network at 
the relay, AS, and prefix level. The guard and exit probabili- 
ties for all relays are taken from the Tor consensus of January 
19, 2014 (at 12am) obtained from CollecTor [1]. Guards are 
taken to be relays with the following flags in the consensus: 
Running. Valid. Guard, and Fast. Exits are taken to be re- 
lays with the Running and Valid flags, without the BadExit 
flag, and with an exit policy that doesn’t reject all ports and 
IP addresses. Relay ASes and prefixes are determined using 
the Route Views prefix-to-AS mapping of January 19, 2014 
obtained from CAIDA 12 and longest prefix match on that 
same data. The guard (exit) probability for an AS or prefix is 
calculated as the sum of guard-selection (resp. exit-selection) 
probabilities of all relays contained in that AS or with a longest 
prefix match. 


12 http://www.caida.org/data/routing/routeviews-prefix2as.xml 
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IP 

Country 

AS Number 

Relay Probability 

AS Probability 

Prefix Probability 

Guard 

Exit 

Guard 

Exit 

Guard 

Exit 

81.7.13.84 

Germany 

35366 

0.14% 

0% 

1.66% 

0.37% 

1.4% 

0.27% 

81.7.11.129 

Germany 

0.24% 

0% 

37.200.98.5 

Germany 

34011 

0.36% 

0% 

2.29% 

0.048% 

0.63% 

0.028% 

213.185.88.234 

Germany 

29354 

0.19% 

0% 

0.19% 

0% 

0.19% 

0% 

185.15.244.124 

Germany 

24961 

0.22% 

0% 

2.02% 

3.39% 

0.23% 

0% 

134.255.239.61 

Germany 

197071 

0.09% 

0% 

0.10% 

0% 

0.09% 

0% 

23.239.134.29 

United States 

33182 

0.03% 

0% 

0.05% 

0% 

0.034% 

0% 

206.217.135.164 

United States 

36352 

0.07% 

0% 

0.89% 

0.23% 

0.12% 

0% 

192.3.142.234 

United States 

0.14% 

0% 

0.14% 

0% 

216.230.230.247 

United States 

40156 

0.14% 

0% 

0.15% 

0% 

0.14% 

0% 

23.92.65.25 

United States 

54540 

0% 

0% 

0.089% 

0% 

0% 

0% 

109.232.224.91 

Netherlands 

57172 

0% 

0% 

0% 

0% 

0% 

0% 

146.185.143.144 

Netherlands 

46652 

0.0002% 

0.002% 

0.90% 

0.54% 

0.24% 

0.037% 

88.191.162.192 

France 

12322 

0.1% 

0% 

1.26% 

0.35% 

1.2% 

0.34% 

88.190.14.112 

France 

0.6% 

0% 

95.130.11.214 

France 

196689 

0.06% 

0% 

0.23% 

1.26% 

0.23% 

1.3% 

37.187.20.59 

France 

16276 

0.12% 

0% 

8.12% 

3.78% 

1.4% 

0.45% 

198.27.97.223 

Canada 

0.09% 

0% 

0.098% 

0% 

89.46.100.162 

Romania 

58207 

0% 

0% 

0.096% 

0% 

0.096% 

0% 

5.254.101.92 

Romania 

39743 

0% 

0% 

1.25% 

8.38% 

0.046% 

0% 

46.23.70.195 

United Kingdom 

13213 

0.21% 

0% 

1.03% 

4.68% 

0.21% 

0% 

37.247.52.27 

Italy 

34971 

0.005% 

0% 

0.066% 

0% 

0.05% 

0% 

217.12.199.190 

Ukraine 

15626 

0% 

0% 

0.093% 

0.66% 

0% 

0% 

212.186.51.184 

Austria 

6830 

0.001% 

0.009% 

0.55% 

0.16% 

0.0013% 

0.0097% 

91.219.237.110 

Hungary 

56322 

0% 

0% 

0.71% 

1 .04% 

0.71% 

1% 

37.0.123.152 

Russia 

198310 

0.12% 

0% 

0.12% 

0% 

0.12% 

0% 

46.28.110.129 

Czech Republic 

197019 

0.19% 

0% 

1.36% 

0.68% 

0.26% 

0.23% 

218.251.112.170 

Japan 

17511 

0.005% 

0% 

0.021% 

0% 

0.0054% 

0% 

Total 

3.12% 

0.01% 

23.25% 

25.56% 

7.64% 

3.66% 


Table 6. Details of our participating Tor relays. 



